search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.74k stars 333 forks source link

Inconsistent package identifier format for vulnerabilities in the Swift ecosystem #3333

Closed fviernau closed 8 months ago

fviernau commented 9 months ago

The vulnerability data has been imported to osv.dev, where I observed the issue which I filed here: https://github.com/google/osv.dev/issues/1923. here's the copied description:

Looking at the vulnerabilities linked to SwiftURL packages [1], it seems that there are multiple variants how the canonical package name is constructed:

  1. SwiftURL/https://github.com/grpc/grpc-swift.git
  2. SwiftURL/https://github.com/apple/swift-nio-http2.git
  3. SwiftURL/github.com/vapor/leaf-kit

In SwiftPM a canocial name is derived using some normalization which includes amongst others:

  1. Dropping .git suffix
  2. Dropping the protocol
  3. Lowercasing
  4. Dropping port, and user info

...see also [2]. Should osv.dev normalize the IDs of the packages and specify the normalization, so that it is straight forward to craft a query to obtain vulnerabilities for a specific swift package?

[1] https://osv.dev/list?ecosystem=SwiftURL&q= [2] https://github.com/apple/swift-package-manager/blob/24bfdd180afdf78160e7a2f6f6deb2c8249d40d3/Sources/PackageModel/PackageIdentity.swift#L345

KateCatlin commented 9 months ago

Hi @fviernau!

Thanks so much for writing in and letting us know about this issue. We've shipped a fix and backfilled the former Swift advisories!

Let us know if that's working for you or if you find any other issues!